ACE Topic: How to allow ACE to login to an App server with certificate and perform Health check prob...

RAMAN AZIZIAN · ‎06-11-2010

Fellow specialist,

I have a new requirement from my customer and I like to find out if anyone has had a similiar request or possible solution.

As always thanks for your valuable inputs.

Requirement:

Customer would like to for the ACE to login to an App server with the required certificate and perform healthcheck. The Application does require the client to logon with certificate.

Our current Production network design Model:

Cisco 6500, 10/100/1000, VSS model, ACE module (25 context and 10k license SSL)

ACE SSL (no SSL termination on the ACE).

ACE SLB Mode: Bridged Mode

Sticky: IP SRC/DST sticky

prediction: leastconn

Basic Class map, policy map, service policy

Questions:

1) Can a certificat be loaded on the ACE without the use of SSL termination on the ACE card

2) Can you recommend probs with this type of request (client logon with cert requirement)

3) How many certificates can be loaded on the ACE if there are several requirements like this

4) If FT (Fault Tollerant) is in the current topology, will the same certificate be applied to each ACE module?

5)Sticky should not be an issue in this design, Right?

Please let me know if you need me to provide any more information.

Thanks,

Raman Azizian

Sean Merrow · ‎06-11-2010

Hello Raman,

Let me see if I can help here:

Questions:

1) Can a certificat be loaded on the ACE without the use of SSL termination on the ACE card

Yes, but the certificate can not be used for client certificate authentication for a HTTPS probe.

2) Can you recommend probs with this type of request (client logon with cert requirement)

The ACE does not currently support client certificate authentication for HTTPS probes, and it doesn't appear to be on the roadmap. You may want to reach out to your Cisco partner or representative and see about getting a product enhancement request for this feature.

3) How many certificates can be loaded on the ACE if there are several requirements like this

You can have up to 3800 certs and 3800 keys installed on the ACE module or 4710 appliance. You can see this limit and others here.

4) If FT (Fault Tollerant) is in the current topology, will the same certificate be applied to each ACE module?

SSL certificates and keys loaded on one ACE are not automatically applied to the FT peer ACE. They must be manually imported to both ACE in the FT environment.

5) Sticky should not be an issue in this design, Right?

Sticky is not an issue with SSL, unless you need to do some layer-7 sticky other than SSL Session ID sticky. This is because when using HTTPS, the HTTP headers are encrypted. When load balancing SSL, the only real sticky options are source-IP or SSL Session ID.

Hope this helps,

Sean

duane.smith · ‎06-11-2010

That brings up the question of how one would do health check probes on any application that uses SSL client auth.

Any ideas?

Sean Merrow · ‎06-11-2010

Hi Duane,

Well, if the server won't allow you to do the HTTPS probe without doing client certificate authentication, then you might have to drop down to just doing a TCP probe on port 443. Certainly not as thorough as a full blown HTTPS probe, but would get your load balancing working.

Sean

duane.smith · ‎06-11-2010

Yes. Thanks for the quick reply. In my case the app is Tomcat/Apache and somehow IIS is involved initially. IIS does a redirect back to tomcat. All that to say a 443 porbe would pass due to IIS being up, and they are trying to detect apache/tomcat failure. I am trying to get them to script some internal checks and put their Up or DOWN status on a static IIS page.

Sean Merrow · ‎06-11-2010

Nice. That might be a plan then. You could then use expect regex to look for your UP or DOWN string in the body of the html using a HTTP probe. Just make sure the server includes a content-length header in the response, or it won't work.

Sean

ACE Topic: How to allow ACE to login to an App server with certificate and perform Health check probe